CVE-2023-24539

Published: May 11, 2023

Modified: Jan 24, 2025

PUBLISHED

Description

Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.

Vendor	Product	Versions
Go standard library	html/template	affected `0 - < 1.19.9` affected `1.20.0-0 - < 1.20.4`

References

https://go.dev/issue/59720

https://go.dev/cl/491615

https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU

https://pkg.go.dev/vuln/GO-2023-1751

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-24539

Description

Affected Products

References